strong password in dbconfig.yml not escaping

rubenv / sql-migrate

SQL schema migration tool for Go.

MIT License

3.18k stars 273 forks source link

strong password in dbconfig.yml not escaping #139

Open mdere-unbound opened 5 years ago

mdere-unbound commented 5 years ago

For some reason in the following

development:
    dialect: postgres
    datasource: dbname=local user=admin password="......" host=localhost port=5432 sslmode=disable
    dir: migrations/postgres

When I use a complicated strong password with symbols, this gives me auth errors, but as soon I turn the password to something simple - it goes through.

Am I missing something?

bdelliott commented 2 years ago

I hit this today too - there's some code expanding variables like $DB_PASSWORD and unintentionally treating any dollar sign in the password the start of a variable name reference.

rubenv commented 2 years ago

In all likelihood, these are YAML quirks

bdelliott commented 2 years ago

The problem line is here: https://github.com/rubenv/sql-migrate/blob/master/sql-migrate/config.go#L75

os.ExpandEnv will interpret any $ sign as a variable to substitute, returning empty string when that variable doesn't exist in the environment.

See: https://play.golang.wiki/p/Da4G-gXuwkY

This is by design in the Go function, it's just a shame it's consuming a dollar sign literal in the configured DSN in dbconfig.yml.